X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/e55c0798441111170d731eb3ec7a4874dadda79b..687f7f7b77d72e6e6ad6aa5f2323894cc87c1366:/doc/plugins/contrib/unixauth/discussion.mdwn?ds=sidebyside diff --git a/doc/plugins/contrib/unixauth/discussion.mdwn b/doc/plugins/contrib/unixauth/discussion.mdwn index 7bfdc9665..232649863 100644 --- a/doc/plugins/contrib/unixauth/discussion.mdwn +++ b/doc/plugins/contrib/unixauth/discussion.mdwn @@ -18,3 +18,21 @@ So I don't think I'll be accepting this plugin into ikiwiki itself.. Thanks for the comments. That's definitely an undesirable interaction between pwauth and ikiwiki; in my current application it wouldn't be a serious problem, but I'd like this plugin to be general-purpose and safe enough for inclusion in ikiwiki. It's the system-users-are-wiki-users idea I'm married to here, not pwauth itself; can you suggest another approach I might take? -- [[schmonz]] + +> Have you considered using [[plugins/httpauth]] and then the appropriate apache module? There are apache modules like [mod_authnz_external](http://unixpapa.com/mod_auth_external.html) that might help. The advantage of these solutions is that they usually make the security implications explicit. -- Will + +Actually, yes. That's how I made sure I had pwauth working to begin with. I'm partial to the form-based approach because I'm not aware of any way to reliably "log out" browsers from HTTP authentication. If that *is* reliably possible, then I worked way too hard for no reason. ;-) +-- [[schmonz]] + +I've added support for [checkpassword](http://cr.yp.to/checkpwd/interface.html), since those generally don't have any rate-limiting cleverness to interfere with ikiwiki's, and made a few other changes. Please check out the plugin docs again and let me know if this is closer to being acceptable. +-- [[schmonz]] + +> I actually think that the rate limiting is a good thing. After all, +> ikiwiki doesn't do its own login rate limiting. Just need to find a way +> to disentangle the two locks. --[[Joey]] + +>> Ah, ok, I misunderstood your comment. I'll see what I can figure out. --[[schmonz]] + +>>> My time's been limited for this, but I just saw [[todo/avoid_thrashing]]. How does that interact with pwauth or checkpassword? --[[schmonz]] + +>>>> The DOS still happens, it just uses less memory. --[[Joey]]